Sentry Global Intelligence & Consulting Group Sentry Global Intelligence & Consulting Group

SSH Authorized Keys Redirection Exploit Targeting Multiple User Directories

Discover fresh insights and innovative ideas by exploring our blog,  where we share creative perspectives

Discover More

SSH Authorized Keys Redirection Exploit Targeting Multiple User Directories

Comments (0)
October 25, 2025
Back To Blog Page

Executive Summary

  • SGI sensors detected an attempted exploit involving the redirection of SSH authorized keys.
  • The attack targets multiple user directories, including root, home directories for various users (e.g., learn, tmax, cris, postgresql, jenkins, alex, auditor, uos, water, ftpuser, ubuntu, jbernal, tim, lab, testuser).
  • The likely objective is to gain unauthorized SSH access to compromised systems.
  • The business risk is high due to potential data breaches, system compromise, and disruption of services.

Organizations should immediately review and harden SSH configurations to prevent unauthorized access and lateral movement.

Observed Activity (SGI Sensors)

ObservedAt SensorName SourceIP SourceASN SourceGeo Protocol/Port PayloadPresence Hash
2025-10-25T08:55:39.305Z 103.63.108.XXX AS38732 VN tcp/ Yes a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2

On October 25, 2025, SGI sensors detected suspicious network activity originating from IP address 103.63.108.25, associated with ASN AS38732 in Vietnam. The traffic was TCP-based and contained a payload with a known malicious hash. The payload appears to be designed to redirect SSH authorized keys to grant unauthorized access to affected systems.

Malware/Technique Overview

The observed malware family, named 20251024-142943-d70d621be199-1-redir__root__ssh_authorized_keys, is designed to modify or replace the authorized_keys file in various user directories. This allows attackers to gain unauthorized SSH access to the system using their own injected keys. The attack vector likely involves exploiting vulnerabilities or weak configurations to write to these sensitive files.

  • T1078.002 Valid Accounts: Domain Accounts
  • T1190 Exploit Public-Facing Application
  • T1556.002 Modify Authentication Process: SSH Keys
  • T1059.004 Command and Scripting Interpreter: Unix Shell
  • T1021.004 Remote Services: SSH

VirusTotal Snapshot

VirusTotal analysis indicates that the detected sample has a score of 29 malicious detections out of 60 total scans. This suggests a moderate level of threat, with multiple vendors flagging the sample as suspicious or malicious. The remaining 31 scans were undetected. Some of the aliases observed include variations targeting different usernames, suggesting a widespread campaign.

  • Malicious: 29
  • Undetected: 31
  • Harmless: 0

Indicators of Compromise (IoCs)

Type Value Confidence FirstSeen Notes
IP 103.63.108.XXX Medium 2025-10-25T08:55:39.305Z AS38732 CMC Telecom Infrastructure Company
Hash a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 High 2025-10-25T08:55:39.305Z SHA256 from VirusTotal

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL:

index=* source=ssh* OR source=auth*  "Failed publickey" OR "Accepted publickey" | search clienthost="103.63.108.XXX" | table _time, user, clienthost, sourcetype

This query searches for SSH authentication logs and filters for connections originating from the identified malicious IP address. Validate that the `clienthost` IP is expected or if it represents anomalous activity.

Elastic/Kibana KQL:

(event.category:authentication AND event.type:connection AND client.ip:103.63.108.XXX) OR file.hash.sha256:"a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2"

This query searches authentication logs for connections from the malicious IP or any file modifications with the malicious SHA256 hash. Ensure that the affected users are legitimate and haven’t experienced any account compromise.

Containment, Eradication & Recovery

  1. Isolate affected systems: Immediately disconnect any systems showing signs of compromise from the network to prevent further lateral movement.
  2. Block malicious IP: Block the identified malicious IP address (103.63.108.25) at the firewall level to prevent further communication.
  3. Scan for malicious files: Perform a thorough scan of all systems, focusing on user home directories and the /root directory, for unauthorized modifications to .ssh/authorized_keys files.
  4. Reimage compromised systems: If systems are confirmed to be compromised, reimage them from a known good backup or image.
  5. Reset credentials: Reset the passwords for all user accounts potentially affected by the compromise.

Ensure IT and leadership are informed of the incident and recovery plan. Preserve logs and artifacts for forensic analysis.

Hardening & Preventive Controls

  1. Implement Multi-Factor Authentication (MFA) (NIST CSF PR.AC-1, CIS Control 6): Enforce MFA for all SSH connections to prevent unauthorized access, even with compromised keys.
  2. Tune Endpoint Detection and Response (EDR) (NIST CSF DE.CM-1, CIS Control 8): Configure EDR solutions to detect and block unauthorized modifications to SSH configuration files.
  3. Network Segmentation (NIST CSF PR.DS-4, CIS Control 14): Implement network segmentation to limit the potential impact of a compromised system.
  4. Least Privilege (NIST CSF PR.AC-3, CIS Control 5): Apply the principle of least privilege to limit user access to only what is necessary.
  5. Patch Management (NIST CSF PR.PT-1, CIS Control 7): Maintain an aggressive patch management schedule for all systems and applications to address known vulnerabilities.

Disable password-based SSH authentication and only allow key-based authentication. Regularly audit SSH configurations and authorized keys files.

Business Impact & Risk Outlook

A successful SSH authorized keys redirection attack can lead to significant operational disruption, data breaches, and reputational damage. Legal and compliance risks may arise from the compromise of sensitive data. The risk is amplified if privileged accounts are compromised, allowing attackers to escalate privileges and move laterally within the network.

We anticipate that attackers will continue to target SSH configurations as a primary means of gaining unauthorized access. Organizations should proactively strengthen their SSH security posture to mitigate this risk.

Appendix

Redacted Payload Snippet:

<html><body><script>window.location = 'http://103.63.108.25/20251024-142943-d70d621be199-1-redir__root__ssh_authorized_keys';</script></body></html>

Assumptions & Data Gaps:

  • The specific vulnerability being exploited is unknown, but we assume a vulnerability in a service allowing write access to the authorized_keys file.
  • Port information is missing.

References:

Protect your organization from evolving threats with SGI’s comprehensive security solutions. Don’t wait for the next attack – be prepared. Request an Incident Readiness Review today. Gain peace of mind with 24/7 Monitoring with Sentry365™, or get expert guidance with our vCISO Advisory services.

Leave A Comment

Categories

Recent Posts

No labels available

Observed Network Activity: Potential Redirection Exploit

No labels available

Potential SSH Key Compromise via Malicious Redirect

No labels available

Observed Activity: Suspicious JavaScript Framework Detection

Tags

Cleaning Services critical infrastructures cybersecurity Desimo Enterprises Engineering Systems IT malware attacks OT security services security sevices Sentry Global Intelligence Stay Frosty

Create your account